91.580.203 Computer & Network Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu

91.580.203 Computer &

Network Forensics

Part I: Computer Forensics

Chapter 2Understanding Computer

Investigation

Xinwen Fu

BIS@DSUDr. Xinwen Fu 2

Outline Prepare a case Conduct an investigation Complete a case Critique a case


Course Outline

Incident occurs: Point-in-Time or Ongoing

pre-incidentpreparation

pre-incidentpreparation

Detectionof

Incidents

Detectionof

Incidents

Initial Response

Initial Response

FormulateResponseStrategy

FormulateResponseStrategy

DataCollection

DataCollection

DataAnalysis

DataAnalysis ReportingReporting

Investigate the incident

ResolutionRecovery

Implement Security Measures

ResolutionRecovery

Implement Security Measures

CSIRT:ComputerSecurityIncident

ResponseTeam


Preparing a Computer Investigation Role of a computer forensics professional

Gather evidence to prove if a suspect committed a crime or violated a company policy

Maintain valid evidence that can be offered in court or at a corporate inquiry

Follow an accepted scientific procedure to prepare a case


Things to Do while Preparing a Case1. Assessing the case2. Planning the investigation3. Securing evidence


1. Assessing the Case Systematically outline the case details:

Nature of the case: public/private Type of evidence Location of evidence

Based on case details, you can determine the case requirements: Computer forensics tools Special OSs


2. Planning your Investigation - Steps

1. Acquire the evidence2. Complete an evidence form and establish a

chain of custody The route the evidence takes from the time you

find it until the case is closed or goes to court Prison break the video tape case: Michael

Scofield and Lincoln Burrows Lincoln Burrows is lured to kill somebody When he pulls out of the gun in a garage, the victim is

already dead All is taped The tape is manipulated so that it seems that Lincoln

fires


Single-Evidence Form


2. Planning your Investigation (Cont.)3. Secure evidence in an approved secure

container4. Transport evidence to a computer forensics lab5. Prepare a forensics workstation6. Obtain the evidence from the secure container7. Make a forensic copy of the evidence8. Return the evidence to the secure container9. Process the copied evidence with computer

forensics tools


3. Securing your Evidence Use evidence bags to secure and catalog the

evidence Use computer safe products

Antistatic bags/pads Use well-padded containers Use evidence tape to seal all openings

Floppy disk or CD drives Power supply electrical cord

Write your initials on tape to prove that evidence has not been tampered

Consider computer-specific temperature and humidity ranges


Objectives Prepare a case Conduct an investigation

Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis

Complete a case Critique a case


Setting Up Specific Workstation for Collecting Evidence Why is DOS needed sometimes for

acquiring data? Windows may contaminate files during

maintenance Set up Windows 98 workstation to boot

into MS-DOS (P. 40) Display a Startup menu Modify Msdos.sys file using any text editor

Install a computer forensics tool DriveSpy and Image


Conducting an Investigation Begin by copying the evidence using a

variety of methods Recall that no single method retrieves all data The more methods you use, the better


Gathering the Evidence Take all necessary measures to avoid

damaging the evidence Place the evidence in a secure container

Complete the evidence custody form Transport the evidence to the computer

forensics lab Create forensics copies (if possible) Secure evidence by locking the container


Understanding Data-Recovery Workstations and Software

Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and

data-recovery are related but different

Computer forensics workstation Specially configured

personal computer To avoid altering the

evidence, use: Write-blockers devices Forensics boot floppy disk

https://www.digitalintelligence.com/cart/html/FRED-M-System.html

FRED-M System






Understanding Bit-stream Copies Bit-by-bit copy of the original storage

medium Exact copy of the original disk Different from a simple backup copy

Backup software only copy known files Backup software cannot copy deleted files or e-

mail messages, or recover file fragments


Understanding Bit-stream Copies (Cont.) A bit-stream image file contains the bit-

stream copy of all data on a disk or partition

Preferable to copy the image file to a target disk that matches the original disk’s manufacturer, size, and model


Understanding Bit-stream Copies (Cont.)






Creating a Forensic Boot Floppy Disk Goal is not to alter the original data on a disk

A computer access files during startup. So what? Preferred way to preserve the original data is to

never examine it Make forensic copies Create a special boot floppy disk that prevents OS from

altering the data when the computer starts up Windows 9x can also alter other files, especially if

DriveSpace is implemented on a file allocation table (FAT) 16 disk


Assembling the Tools for a Forensic Boot Floppy Disk Tools:

Disk editor such as Norton Disk Edit or Hex Workshop

Floppy disk MS-DOS OS Computer that can boot to a true MS-DOS level Forensics acquisition tool Write-block tool


Assembling the Tools for a Forensic Boot Floppy Disk (Cont.) Steps:

Make the floppy disk bootable Update the OS files to remove any reference to

the hard disk (using Hex Workshop or Norton Disk Edit) (P. 50) - in order to prevent the access of c:\

Modify the command.com file on the floppy disk Modify the Io.sys file on the floppy disk to disable

Drivespace Add computer forensic tools Test your floppy disk Create several backup copies

http://www.bpsoft.com/downloads/






Retrieving Evidence Data Using a Remote Network Connection Bit-stream image copies can also be

retrieved from a workstation’s network connection

Software: SnapBack EnCase R-Tools

Can be a time-consuming process even with a 1000-Mb connection

It takes less using a NIC-to-NIC connection






Message of arbitrary length

Hash HA fixed-length short message

Review of Hash Algorithms

Also known as Message digests One-way transformations One-way functions Hash functions

Length of H(m) much shorter then length of m Usually fixed lengths: 128 or 160 bits (16 bytes or

20 bytes)


Applications of Hash Functions Download software from the Internet

Listed MD5 hash on the web Calculated MD5 hash of the download

Hash as the identity of a file GPG4Win - EMail-Security using GnuPG for

Windows http://www.gpg4win.org/

Listed Hash Calculated Hash

Equal or not


Applications of Hash Functions (Cont.) Primary application

Verify digital signature

H H(m)

Verify

Public key (e)

Yes/Nom, dA(H(m))

H’(m)=eA(dA(H(m)))


Copying the Evidence Disk Recall a forensic copy is an exact duplicate

of the original data Create a forensic copy using:

MS-DOS Specialized tool such as Digital Intelligence’s

Imager First, create a bit-stream image Then, copy the image to a target disk


Creating a Bit-stream Image with FTK Imager

Functions Create the image of a physical drive Extract the image from a bit-stream image file Analyze the image

Forensic Software Downloads, link Forensic Toolkit®(FTK™) version FTK Imager version or FTK Imager Lite

version 1 Known File Filter Library File version (not

necessary)

http://www.accessdata.com/downloads.html


Creating a Bit-stream Image with FTK Imager (Cont.) Start Forensic Toolkit (FTK) Imager by double-

clicking the icon on your desktop Click File, Image Drive from the menu; insert

floppy disk labeled “Domain Name working copy #2”

In the dialog box that opens, click the A: drive to select a local drive, then click OK

A wizard walks you through the steps Accept all the defaults Specify the destination folder If necessary, create a folder called Forensics Files Name the file Bootimage.1


FTK Imager: Create Image


FTK Imager: Read Image


Analyzing Your Digital Evidence by Forensic Toolkit®(FTK™) Your job is to recover data from:

Deleted files File fragments Complete files

Deleted files linger on the disk until new data is saved on the same physical location

Tools: Digital Intelligence’s DriveSpy AccessData’s FTK


Analyzing Your Digital Evidence (Cont.)



In-Class Exercise1. Form the group2. Check the checksums (MD5 and SHA1) of

the downloaded gpg4win-1.1.3.exe by using WinPT within gpg4win

3. Play with FTK and search around the image

http://ftp.gpg4win.org/gpg4win-1.1.3.exe


Objectives Prepare a case Conduct an investigation Complete a case Critique a case


Completing the Case You need to produce a final report

State what you did and what you found You can even include logs from the

forensic tools you used If required, use a report template The report should show conclusive

evidence that the suspect did or did not commit a crime or violate a company policy


Objectives Prepare a case Conduct an investigation Complete a case Critique a case


Critiquing the Case Ask yourself the following questions:

How could you improve your participation in the case?

Did you expect the results you found? Did the case develop in ways you did not

expect? Was the documentation as thorough as it could

have been?


Critiquing the Case (Cont.) Questions continued:

What feedback has been received from the requesting source?

Did you discover any new problems? What are they?

Did you use new techniques during the case or during research?

Documents

91.580.203 Computer & Network Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu